Financial Institution Letters

The FDIC is clarifying its supervisory approach to institutions establishing account relationships with third-party payment processors (TPPPs). FDIC guidance indicates that insured institutions that engage in customer relationships with TPPPs should assess their risk tolerance for this type of activity and develop an appropriate risk management framework, which includes policies and procedures that address due diligence, underwriting, and ongoing monitoring.

FDIC official guidance1 and an informational article that appeared in the Summer 2011 issue of the FDIC's Supervisory Insights2 describe potential risks associated with relationships with TPPPs facilitating payment transactions for merchant clients. The original documents contained lists of examples of telemarketing or Internet merchant categories that had been associated by the payments industry with higher-risk activity. These examples of merchant categories included activities that could be subject to complex or varying legal and regulatory environments, such as those that may be legal only in certain states; those that may be prohibited for certain consumers, such as minors; those that may be subject to varying state and federal licensing and reporting regimes; and those that may result in higher levels of complaints, returns, or chargebacks.

The lists of examples of merchant categories in the FDIC’s guidance and the article were intended to be illustrative of trends identified by the payments industry at the time the guidance and article were released. Further, the lists of examples of merchant categories were considered to be incidental to the primary purpose of the guidance, which was to describe the risks associated with financial institutions’ relationships with TPPPs, and to provide guidance to insured institutions on appropriate risk management for relationships with TPPPs. Nevertheless, the lists of examples of merchant categories have led to misunderstandings regarding the FDIC’s supervisory approach to institutions’ relationships with TPPPs, resulting in the misperception that the listed examples of merchant categories were prohibited or discouraged. The FDIC encourages insured depository institutions to serve their communities and recognizes the importance of services they provide. In fact, it is the FDIC’s policy that insured institutions that properly manage customer relationships are neither prohibited nor discouraged from providing services to customers operating in compliance with applicable federal and state law. Accordingly, as part of clarifying our guidance, the FDIC is removing the lists of examples of merchant categories from outstanding guidance and the article.

As part of its regular safety and soundness examination activities, the FDIC reviews and assesses the extent to which an institution having account relationships with TPPPs follows the outstanding guidance. Where an institution is following the outstanding guidance, the institution will not be criticized for establishing and maintaining account relationships with TPPPs.

Any concerns with the FDIC's application of this policy should be shared with the appropriate Regional Director, the Director of the Division of Risk Management Supervision at DirectorRMS@FDIC.gov, or the FDIC's Office of the Ombudsman at Ombudsman@FDIC.gov.

The revised 2008, 2012, and 2013 guidance and 2011 informational article can be found at these links:

2 "Managing Risks in Third-Party Payment Processor Relationships," FDIC Supervisory Insights, Summer 2011. Supervisory Insights contains timely and informative articles about risk management issues for bankers, but it is not official FDIC guidance. Supervisory Insights specifically states "The views expressed in Supervisory Insights are those of the authors and do not necessarily reflect official positions of the Federal Deposit Insurance Corporation. In particular, articles should not be construed as definitive regulatory or supervisory guidance."